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DETAILED ACTION 
Status of Claims 

1. This Non-Final Office action is in reply to the Application filed on 17 September 2003. 

2. Claims 1-30 are currently pending and have been examined. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for 
the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), 
by another filed in the United States before the invention by the applicant for patent or (2) a 
patent granted on an application for patent by another filed in the United States before the 
invention by the applicant for patent, except that an international application filed under the treaty 
defined in section 351(a) shall have the effects for purposes of this subsection of an application 
filed in the United States only if the international application designated the United States and 
was published under Article 21(2) of such treaty in the English language. 

5. Claims 1, 4-11, 15-19, 21-25, 29, and 30 are rejected under 35 U.S.C. 102(e) as being 

anticipated by Callahan et al (Callahan) (U.S. Pub. No. 2003/0229525). 

6. CLAIM 1: 

With regard to Claim 1 , Callahan teaches a method and system comprising: 

• identifying outside service provider information that describes the outside 
service provider (provide a population of all third-party providers and risk- 
rank them) (see at least paragraph 0028). 

• storing the outside service provider information in a database (Assessment 
templates, 612, are also stored in fixed storage) (see at least paragraph 
0043). 
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• identifying resource information that describes resources of the enterprise 
associated with services provided by the outside service provider (the type of 
data shared between the financial services company and the provider) (see 
at least paragraph 0028). 

• storing the resource information in the database (Assessment templates, 
612, are also stored in fixed storage) (see at least paragraph 0043). 

• assessing an impact (impact value) on the enterprise from a degradation of 
the services from the outside service provider (the impact is less critical than 
if account balances, account numbers, and transactions were revealed) (see 
at least paragraph 0060). 

• storing the assessment in the database (Assessment templates, 612, are 
also stored in fixed storage) (see at least paragraph 0043). 

• automatically determining a criticality of the outside service provider in 
response to the assessment (the impact is less critical than if account 
balances, account numbers, and transactions were revealed) (see at least 
paragraph 0060). 

• storing the criticality in the database (Assessment templates, 612, are also 
stored in fixed storage) (see at least paragraph 0043). 

• providing status data from the database (SQL database) (see at least 
paragraph 0055), wherein the status data comprises at least one of a status 
of: 

o the resource information 

o the assessment (updated to change the status of the 

assessment) (see at least paragraph 0055). 
o the criticality (critical) (see at least paragraph 0060). 
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7. CLAIM 19: 

With regard to Claim 19, Callahan teaches a system, interface, database server, and 
application server (Microsoft's Internet Information Services) (see at least paragraph 0047). 
Claim 19 is further substantially similar to claim 1 and is rejected for the same rationale as set 
forth above. 

8. CLAIMS 4 and 21: 

With regard to Claims 4 and 21, Callahan teaches wherein at least one of the resources 
of the enterprise includes at least one software application employed by the enterprise 
(Application Software) (see at least paragraph 0029). 

9. CLAIMS 5 and 22: 

With regard to Claims 5 and 22, Callahan teaches: wherein the step of assessing the 
impact (threat value, impact value) on the enterprise further comprises at least one of: 

• assessing an impact on external customers (customer's name) (see at least 
paragraph 0060) of the enterprise resulting from the degradation of the 
services from the outside service provider. 

• assessing an impact on internal customers (of other areas of the enterprise) 
(see at least paragraph 0025) of the enterprise resulting from the degradation 
of the services from the outside service provider. 

• assessing a financial impact (account balances, account numbers, and 
transactions) resulting from the degradation of the services from the outside 
service provider (see at least paragraph 0060). 

• assessing an allowable time period that the degradation of the services from 
the outside service provider can last. 
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• assessing an impact on regulatory obligations (monitoring compliance with 
the GLBA [Gramm-Leach-Bliley Act (GLBA), paragraph 0002]) resulting from 
the degradation of the services from the outside service provider (see at least 
paragraph 0020). 

10. CLAIMS 6 and 23: 

With regard to Claims 6 and 23, Callahan teaches assigning specific people (data 
guardian) to fulfill roles with respect to management of a relationship with the outside service 
provider, wherein the roles include at least one of information owner and information risk 
manager (see at least paragraph 0034). 

11. CLAIMS 7 and 24: 

With regard to Claims 7 and 24, Callahan teaches receiving acknowledgements of the 
acceptances of the assignments from the specific people (obtains a sign-off from the approver) 
(see at least paragraph 0034). 

12. CLAIMS 8 and 25: 

With regard to Claims 8 and 25, Callahan teaches assigning alternate people to fulfill the 
roles (one or more re-viewers or "data guardians") (see at least paragraph 0026). 

13. CLAIM 9: 

With regard to Claim 9, Callahan teaches wherein the role of the information owner 
comprises at least one of: 

• obtaining from the outside service provider copies of financial and non- 
financial audit reports (audits) (see at least paragraph 0024). 

• obtaining documentation describing the outside service provider's 
procedural, physical access, logical access and business recovery controls 
(emphasizing those that have access to or who manipulate, store, transmit or 



Application/Control Number: 10/664,283 Page 6 

Art Unit: 3623 

destroy the company's consumer customer information) (see at least 
paragraph 0028). 

• requiring notification by the outside service provider of any organization, 
security-related and other changes affecting the availability, confidentiality, or 
integrity of the services provided by the outside service provider. 

• initiating the risk assessment process (The process starts at 201) (see at 
least paragraph 0026). 



14. CLAIM 10: 

With regard to Claim 10, Callahan teaches wherein the role of information risk manager 
(data guardian) comprises at least one of: 

• maintaining an updated list of outside service providers used by the 
enterprise (the database is kept updated) (see at least paragraphs 0054- 
0056). 

• allocating resources for the outside service provider assessment process. 



15. CLAIMS 11 and 30: 

With regard to Claims 1 1 and 30, Callahan teaches wherein all of the steps of the method 
are facilitated using a software application (risk assessment module), the method further 
comprising: 

• generating data input screens for accepting input from a user (screens that 
show detail of how comments are entered and risk values are established) 
(see at least paragraph 0059). 

• providing drop down boxes on the data input screens in order to facilitate 
selection of predefined information (a drop-down box, accessed from the tab, 
displays that progress) (see at least paragraph 0058). 
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16. CLAIMS 15 and 29: 

With regard to Claims 15 and 29, teaches providing status data on the enterprise level; 
providing status data on a line of business level; and providing status data on a department level 
(handle assessments at whatever level a business unit or the enterprise wants, executives, 
administrators, senior managers) (see at least paragraph 0032). 

17. CLAIM 16: 

With regard to Claim 16, Callahan teaches wherein the enterprise has policies and 
procedures (policies and procedures) for protecting the integrity of the provision of services 
(Identify perceivable threats, evaluate the likelihood of those threats), the method further 
comprising assessing the compliance (compliance) of the outside service provider to the policies 
and procedures (see at least paragraph 0025). 

18. CLAIM 17: 

With regard to Claim 17, Callahan teaches developing a corrective action plan if the 
outside service provider is not in compliance, the corrective action plan containing the steps 
required to bring the outside service provider into compliance (The assessor works through 
whatever corrective action needs to be taken on the assessment and re-submits it to the data 
guardian) (see at least paragraph 0057). 

19. CLAIM 18: 

With regard to Claim 18, Callahan teaches obtaining an acknowledgement by 
management of the enterprise of risk associated with the non-compliance of the outside service 
provider (non-compliance is indicated based on a response or group of responses) (see at least 
paragraph 0023). 
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Claim Rejections - 35 USC § 103 

20. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 102 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 

21. Claims 2, 3. 12-14. 20, and 26-28 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Callahan as applied to claims 1,4-11, 15-19, 21-25, 29, and 30 above, in view of Bott (U.S. 
6,856,973) and in further view of Borgia et al (Borgia) (U.S. Pub. No. 2002/0129221 ). 

22. CLAIMS 2 and 20: 

With regard to Claims 2 and 20, Callahan does not specifically teach identifying countries 
in which the outside service provider operates and determining a country impact risk associated 
with the countries, wherein the step of automatically determining the criticality is also in response 
to the country impact risk. Bott teaches identifying countries in which the outside service provider 
operates and determining a country impact risk (volatility risk) associated with the countries, 
wherein the step of automatically determining the criticality is also in response to the country 
impact risk in analogous art of assessing creditworthiness of a country for the purposes of, "[ujnits 
of government could use their legal empowerment to delay or discontinue transactions" (see at 
least column 8, lines 10-22). 
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It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the volatility risk of that country as taught by Bott with the integrated compliance 
monitoring method of Callahan. One of ordinary skill in the art would have been motivated to do 
so for the benefit of knowing an updated status of a country's ability to maintain a strong 
economic status (Bott, column 8, lines 10-22). 



23. CLAIM 3: 

With regard to Claim 3, Callahan does not specifically teach collecting economic 
condition information with respect to the country; storing the economic condition information in the 
database; collecting social condition information with respect to the country; storing the social 
condition information in the database; collecting political condition information with respect to the 
country; add storing the political condition information in the database. Bott teaches collecting 
economic (economic) condition information with respect to the country; storing the economic 
condition information in the database (creating a database of economic scores for the country) 
(see at least column 1 , lines 36-45); collecting social condition (social) information with respect to 
the country; storing the social condition information in the database; collecting political condition 
information with respect to the country; add storing the political condition (political) (see at least 
column 4, lines 64-67 and column 5, lines 1-7) information in the database in analogous art of 
assessing creditworthiness of a country for the purposes of, "[f]actors that may interfere with an 
ability or willingness of a country and its economic agents to honor their financial or contractual 
obligations to non-resident owners...) (see at least column 5, lines 2-7). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the economic and risk factors of a country as taught by Bott with the integrated 
compliance monitoring method of Callahan. One of ordinary skill in the art would have been 
motivated to do so for the benefit of implementing a country risk assessment system (Bott, 
column 4, lines 64-67). 
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24. CLAIMS 12 and 26: 

With regard to Claims 12 and 26, Callahan and Bott do not teach assessing a recovery 
plan of the outside service provider. Borgia teaches assessing a recovery plan (plan accessible to 
a crisis team for recovery) of the outside service provider (see at least paragraph 0043) in 
analogous art of tracking compliance with policies related to management of risk for the purposes 
of "...an information policy provides the requirements for disaster recover preparedness" (see at 
least paragraph 0043). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
un-interrupted business process due to a backup recovery plan (Borgia, paragraph 0043). 

25. CLAIMS 13 and 27: 

With regard to Claims 13 and 27, Callahan and Bott do not teach questioning the 
developer of the plan as to whether it has required elements; and developing a corrective action 
plan to address missing required elements. Borgia teaches questioning the developer (risk 
management assessor) of the plan as to whether it has required elements (consisting of a series 
of questions that must be answered with appropriate responses to product compliance) and 
developing a corrective action plan to address missing required elements (reviews areas of non- 
compliance and the associated risk acknowledgements to provide approval if appropriate) in 
analogous art of tracking compliance with policies related to management of risk for the purposes 
of " having an approved process or plan in place to achieve compliance" (see at least paragraphs 
0043-0057). 
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It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
increased awareness and corrective measures for missing elements or non-compliance with a 
business institution (Borgia, paragraphs 0043-0057). 



26. CLAIMS 14 and 28: 

With regard to Claims 14 and 28, Callahan and Bott do not teach an alternate site for 
providing the services; and a business continuity plan for resumption of the services at the 
alternate site. Borgia teaches an alternate site for providing the services (may depend upon such 
factors as whether information is stored off site on a regular basis) and a business continuity plan 
for resumption of the services at the alternate site (Once risk is acknowledged, a plan for 
reducing the risk or bringing the project into compliance can be formulated) in analogous art of 
tracking compliance with policies related to management of risk for the purposes of "The rating for 
disaster recovery readiness may depend upon such factors as whether information is stored off 
site on a regular basis, intervals in which system backups are made, robustness of computer 
recovery systems (see at least paragraph 0017). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
survivability due to a disaster by having an alternate backup (Borgia, paragraph 0017). 
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Conclusion 

27. The following prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure: 

• Bladen et al (U.S. Pub. No, 2002/0099586) discloses a method, system, and computer 
program product for risk assessment and risk management. 

• Buddie et al (U.S. 6,912,502) discloses a system and method for compliance 
management. 

• Aubert et al, "Assessing the Risk of IT Outsourcing", Proceedings of the 31 st Annual 
Hawaii International Conference on System Sciences, 1998, discloses to identify the 
main undesirable outcomes that may result from an IT outsourcing deal. 

• Alleman, "Risk Assessment Template for Software Development or Acquisition Projects", 
Niwot Ridge Consulting, Revision D, 20 February 2001, discloses the foundations for 
conducting a risk assessment of a large-scale system development project. 
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Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to THOMAS MANSFIELD whose telephone number is (571)270-1904. The examiner can 
normally be reached on Monday-Thursday 8:30 am-6 pm, alt. Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Tariq 
Hafiz can be reached on 571-272-6729. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 

IT. M.l 

Examiner, Art Unit 3623 

21 February 2008 
Thomas Mansfield 

/Beth Van Doren/ 

Primary Examiner, Art Unit 3623 



